As of Core Update 131 the guardian add-on is no longer required for the Intrusion Detection System (IDS). Guardian will still provide means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.
Guardian is an extension to the IPFire Intrusion Detection System, which enables automatic blocking of IP addresses which are associated with intrusion attempts.
Since the legacy version, guardian massively has been improved by the IPFire team and now is able to detect and prevent from brute force attacks against the IPFire web interface and SSH daemon.
Technically guardian monitors (based on its configuration) several different files for modifications and parses the recently added lines. For each offensive IP address guardian internal uses a counter, when this counter reaches the configured maximum amount an iptables rule will be created which drops the complete traffic for a dedicated time interval.
guardian can be installed with the Pakfire web interface or via the console:
pakfire install guardian
Guardian completely can be managed by using the IPFire web interface. A corresponding menu entry will be displayed after the addon has been installed.
Enables or disables the Brute-force detection for the local running SSH daemon. The default setting will beon.
By using this option, guardian will detect Brute-force login attempts against the IPFire web interface. Defaults to on.
The log facility option allows to configure where guardian should sent any generated log messages. Available facilities are:
This drop down menu allows you to configure the log level of guardian. This setting affects the amount of messages which are written to the log file.
This option allows to configure if a "DROP" or "REJECT" rule should be created if an attacker gets blocked by guardian. More details can be found here.
For several reasons, it might be better to use "DROP", especially in case the firewall machine is directly connected to the internet. The "REJECT" option sends an ICMP package back to the source, which reveals that there is something answering. In case of "DROP", it will look like the destination went offline. You might want to look here for further information.
The Strike Threshold contains the maximum amount of attempts for an aggressive IP address before it will be blocked. The minimum value has to be at least "1". The default setting is 3.
The block time describes the time interval, which has to be passed until a block against an IP address automatically get released again. Default value is 86400 seconds which equals to 24 hours.
This option only will be displayed if the log facility is set to "File" and allows to configure the location of guardians log file.
Guardian has a built-in support for ignoring attacks from single hosts or whole subnets. It feature can be used to prevent critical devices or systems on your local networks from incorrectly being blocked by guardian.
The ignore list easily can be manipulated by using the web interface. Existing elements from the list can be dropped by clicking the trash icon next to each.
A new entry can be added by using the input field and using the Add button.
Valid inputs are all kind of single IPv4 addresses or networks. Guardian accepts networks with an appended prefix (192.168.0.0/24) or net mask in dot-decimal notation (192.168.0.0/255.255.255.0).
A full list of all currently blocked IP addresses is displayed in the web interface.
A single list entry can be dropped by clicking the trash icon next to the IP address.
A single host manually can be blocked by filling in its IP address into the input field and using the Block button.
The complete list can be flushed by using the Unblock All button.